Analysis
-
max time kernel
283s -
max time network
299s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 23:25
Static task
static1
Behavioral task
behavioral1
Sample
c6e7032aca186d4c52957197d8c50930fc78ec29f0f1917c4b41e43eff32087d.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
c6e7032aca186d4c52957197d8c50930fc78ec29f0f1917c4b41e43eff32087d.exe
Resource
win10v2004-20221111-en
General
-
Target
c6e7032aca186d4c52957197d8c50930fc78ec29f0f1917c4b41e43eff32087d.exe
-
Size
212KB
-
MD5
4e19fda8d79313ec8698f7313222aa44
-
SHA1
a1fe7ca6e944beb31d2907e782bc5972a7e2ff3a
-
SHA256
c6e7032aca186d4c52957197d8c50930fc78ec29f0f1917c4b41e43eff32087d
-
SHA512
c42bf1ea7dd29d8c49fb5dbc15fa2f7999c23afaa82d578bee27429daf4595e3462a32489f68a0c5254bad5c87f50695deee2655933aec6a5f1684acea5386a1
-
SSDEEP
3072:YhQTUwEYksBFJdIdNg0qHaBheXkbxWPobjHCADDv0dqv8AmA2xCkXK:YPwlJdIETdXkbcPujiev2PS
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3020 elidi.exe 832 elidi.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\Currentversion\Run elidi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Igynh = "C:\\Users\\Admin\\AppData\\Roaming\\Feafzu\\elidi.exe" elidi.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\Currentversion\Run elidi.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1972 set thread context of 3824 1972 c6e7032aca186d4c52957197d8c50930fc78ec29f0f1917c4b41e43eff32087d.exe 82 PID 3020 set thread context of 832 3020 elidi.exe 84 -
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe 832 elidi.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 3824 c6e7032aca186d4c52957197d8c50930fc78ec29f0f1917c4b41e43eff32087d.exe Token: SeSecurityPrivilege 3824 c6e7032aca186d4c52957197d8c50930fc78ec29f0f1917c4b41e43eff32087d.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1972 wrote to memory of 3824 1972 c6e7032aca186d4c52957197d8c50930fc78ec29f0f1917c4b41e43eff32087d.exe 82 PID 1972 wrote to memory of 3824 1972 c6e7032aca186d4c52957197d8c50930fc78ec29f0f1917c4b41e43eff32087d.exe 82 PID 1972 wrote to memory of 3824 1972 c6e7032aca186d4c52957197d8c50930fc78ec29f0f1917c4b41e43eff32087d.exe 82 PID 1972 wrote to memory of 3824 1972 c6e7032aca186d4c52957197d8c50930fc78ec29f0f1917c4b41e43eff32087d.exe 82 PID 1972 wrote to memory of 3824 1972 c6e7032aca186d4c52957197d8c50930fc78ec29f0f1917c4b41e43eff32087d.exe 82 PID 1972 wrote to memory of 3824 1972 c6e7032aca186d4c52957197d8c50930fc78ec29f0f1917c4b41e43eff32087d.exe 82 PID 1972 wrote to memory of 3824 1972 c6e7032aca186d4c52957197d8c50930fc78ec29f0f1917c4b41e43eff32087d.exe 82 PID 1972 wrote to memory of 3824 1972 c6e7032aca186d4c52957197d8c50930fc78ec29f0f1917c4b41e43eff32087d.exe 82 PID 3824 wrote to memory of 3020 3824 c6e7032aca186d4c52957197d8c50930fc78ec29f0f1917c4b41e43eff32087d.exe 83 PID 3824 wrote to memory of 3020 3824 c6e7032aca186d4c52957197d8c50930fc78ec29f0f1917c4b41e43eff32087d.exe 83 PID 3824 wrote to memory of 3020 3824 c6e7032aca186d4c52957197d8c50930fc78ec29f0f1917c4b41e43eff32087d.exe 83 PID 3020 wrote to memory of 832 3020 elidi.exe 84 PID 3020 wrote to memory of 832 3020 elidi.exe 84 PID 3020 wrote to memory of 832 3020 elidi.exe 84 PID 3020 wrote to memory of 832 3020 elidi.exe 84 PID 3020 wrote to memory of 832 3020 elidi.exe 84 PID 3020 wrote to memory of 832 3020 elidi.exe 84 PID 3020 wrote to memory of 832 3020 elidi.exe 84 PID 3020 wrote to memory of 832 3020 elidi.exe 84 PID 832 wrote to memory of 2460 832 elidi.exe 15 PID 832 wrote to memory of 2460 832 elidi.exe 15 PID 832 wrote to memory of 2460 832 elidi.exe 15 PID 832 wrote to memory of 2460 832 elidi.exe 15 PID 832 wrote to memory of 2460 832 elidi.exe 15 PID 3824 wrote to memory of 1984 3824 c6e7032aca186d4c52957197d8c50930fc78ec29f0f1917c4b41e43eff32087d.exe 85 PID 3824 wrote to memory of 1984 3824 c6e7032aca186d4c52957197d8c50930fc78ec29f0f1917c4b41e43eff32087d.exe 85 PID 3824 wrote to memory of 1984 3824 c6e7032aca186d4c52957197d8c50930fc78ec29f0f1917c4b41e43eff32087d.exe 85 PID 832 wrote to memory of 2476 832 elidi.exe 49 PID 832 wrote to memory of 2476 832 elidi.exe 49 PID 832 wrote to memory of 2476 832 elidi.exe 49 PID 832 wrote to memory of 2476 832 elidi.exe 49 PID 832 wrote to memory of 2476 832 elidi.exe 49 PID 832 wrote to memory of 2608 832 elidi.exe 46 PID 832 wrote to memory of 2608 832 elidi.exe 46 PID 832 wrote to memory of 2608 832 elidi.exe 46 PID 832 wrote to memory of 2608 832 elidi.exe 46 PID 832 wrote to memory of 2608 832 elidi.exe 46 PID 832 wrote to memory of 784 832 elidi.exe 41 PID 832 wrote to memory of 784 832 elidi.exe 41 PID 832 wrote to memory of 784 832 elidi.exe 41 PID 832 wrote to memory of 784 832 elidi.exe 41 PID 832 wrote to memory of 784 832 elidi.exe 41 PID 832 wrote to memory of 3108 832 elidi.exe 40 PID 832 wrote to memory of 3108 832 elidi.exe 40 PID 832 wrote to memory of 3108 832 elidi.exe 40 PID 832 wrote to memory of 3108 832 elidi.exe 40 PID 832 wrote to memory of 3108 832 elidi.exe 40 PID 832 wrote to memory of 3312 832 elidi.exe 39 PID 832 wrote to memory of 3312 832 elidi.exe 39 PID 832 wrote to memory of 3312 832 elidi.exe 39 PID 832 wrote to memory of 3312 832 elidi.exe 39 PID 832 wrote to memory of 3312 832 elidi.exe 39 PID 832 wrote to memory of 3400 832 elidi.exe 38 PID 832 wrote to memory of 3400 832 elidi.exe 38 PID 832 wrote to memory of 3400 832 elidi.exe 38 PID 832 wrote to memory of 3400 832 elidi.exe 38 PID 832 wrote to memory of 3400 832 elidi.exe 38 PID 832 wrote to memory of 3472 832 elidi.exe 17 PID 832 wrote to memory of 3472 832 elidi.exe 17 PID 832 wrote to memory of 3472 832 elidi.exe 17 PID 832 wrote to memory of 3472 832 elidi.exe 17 PID 832 wrote to memory of 3472 832 elidi.exe 17 PID 832 wrote to memory of 3564 832 elidi.exe 37 PID 832 wrote to memory of 3564 832 elidi.exe 37
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2460
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3472
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3816
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3564
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3400
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3312
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3108
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:784
-
C:\Users\Admin\AppData\Local\Temp\c6e7032aca186d4c52957197d8c50930fc78ec29f0f1917c4b41e43eff32087d.exe"C:\Users\Admin\AppData\Local\Temp\c6e7032aca186d4c52957197d8c50930fc78ec29f0f1917c4b41e43eff32087d.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\c6e7032aca186d4c52957197d8c50930fc78ec29f0f1917c4b41e43eff32087d.exe"C:\Users\Admin\AppData\Local\Temp\c6e7032aca186d4c52957197d8c50930fc78ec29f0f1917c4b41e43eff32087d.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Users\Admin\AppData\Roaming\Feafzu\elidi.exe"C:\Users\Admin\AppData\Roaming\Feafzu\elidi.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Users\Admin\AppData\Roaming\Feafzu\elidi.exe"C:\Users\Admin\AppData\Roaming\Feafzu\elidi.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:832
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp9e95619e.bat"4⤵PID:1984
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:4340
-
-
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2608
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2476
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2720
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1008
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307B
MD52cfec45497f1456ee7296edc9f785dfd
SHA1d8a29be29e95b82f8d6ff82f776551677507f2fb
SHA25609ae66a3f86ca51a9a44a4f74406c04eb38bfad5a02d7b5177f02e6364454341
SHA51226269ecd8e416e298ad3a5b02981dce49ed6811b8d7973f0810feaa29135b8a4821baac11e6bd34af10504921910c936be0006ebeaee27292028d82d60cbc5dc
-
Filesize
212KB
MD5e97d937be62f4e97d9a13cb90ea09586
SHA1100a9576a81aa1a93f9a66d731c6ea9363566bf7
SHA2569405241916a20a055298c8c1d949368f061dda910b59fc0cde2adaa5d28659dd
SHA51236e907ff7d80865e639584770be859ef511872bc64afa47241d14e206f29e5e23b53f3bce27f6fbaddb54f4f745543f2d0c951e925f74d5362ec6d36beada54a
-
Filesize
212KB
MD5e97d937be62f4e97d9a13cb90ea09586
SHA1100a9576a81aa1a93f9a66d731c6ea9363566bf7
SHA2569405241916a20a055298c8c1d949368f061dda910b59fc0cde2adaa5d28659dd
SHA51236e907ff7d80865e639584770be859ef511872bc64afa47241d14e206f29e5e23b53f3bce27f6fbaddb54f4f745543f2d0c951e925f74d5362ec6d36beada54a
-
Filesize
212KB
MD5e97d937be62f4e97d9a13cb90ea09586
SHA1100a9576a81aa1a93f9a66d731c6ea9363566bf7
SHA2569405241916a20a055298c8c1d949368f061dda910b59fc0cde2adaa5d28659dd
SHA51236e907ff7d80865e639584770be859ef511872bc64afa47241d14e206f29e5e23b53f3bce27f6fbaddb54f4f745543f2d0c951e925f74d5362ec6d36beada54a